Remove failed login attempt for saml authenticator (opensearch-projec…

…t#4762) Signed-off-by: Derek Ho <dxho@amazon.com> Signed-off-by: Terry Quigley <terry.quigley@sas.com>
terryquigleysas · Oct 3, 2024 · b9ef451 · b9ef451
1 parent 0afed99
commit b9ef451
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
@@ -88,6 +88,7 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
     private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX);
 
     private static boolean openSamlInitialized = false;
+    public static final String SAML_TYPE = "saml";
 
     private String subjectKey;
     private String rolesKey;
@@ -175,7 +176,7 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T
 
     @Override
     public String getType() {
-        return "saml";
+        return SAML_TYPE;
     }
 
     @Override

diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -75,6 +75,7 @@
 import static org.apache.http.HttpStatus.SC_FORBIDDEN;
 import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE;
 import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
+import static com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.SAML_TYPE;
 
 public class BackendRegistry {
 
@@ -303,7 +304,10 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 if (authDomain.isChallenge()) {
                     final Optional<SecurityResponse> restResponse = httpAuthenticator.reRequestAuthentication(request, null);
                     if (restResponse.isPresent()) {
-                        auditLog.logFailedLogin("<NONE>", false, null, request);
+                        // saml will always hit this to re-request authentication
+                        if (!authDomain.getHttpAuthenticator().getType().equals(SAML_TYPE)) {
+                            auditLog.logFailedLogin("<NONE>", false, null, request);
+                        }
                         if (isTraceEnabled) {
                             log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
                         }